Thursday, 9 February 2017

Ticketbleed (CVE-2016-9244)

A vulnerability similar to the well-known heartbleed was discovered in the TLS/SSL stack of F5 BIG-IP appliances that allows a remote attacker to extract up to 31 bytes of uninitialized memory at a time. This vulnerability is called Ticketbleed as it lies in the implementation of Session Tickets, which is a resumption technique used to speed up repeated connections. The vulnerability affects the proprietary F5 TLS stack which exposes 31 bytes at a time.

TestYou can test your domain using the automated script which you can find at: https://filippo.io/Ticketbleed/Alternatively, you can test for Ticketbleed yourself with a Go script: here

Fixes and mitigationThe full list of affected versions is available on the F5 website. At the time of this public disclosure not all releases have upgrade candidates available.Disabling Session Tickets is a complete mitigation, which will only cause a performance degradation in the set-up phase of resumed connections.Reproduced here are the instructions provided by F5 and available at the link above.